App Identity Python API Overview

The App Identity API lets an application discover its application ID (also
called the project ID). Using
the ID, an App Engine application can assert its identity to other App Engine
Apps, Google APIs, and third-party applications and services. The
application ID can also be used to generate a URL or email address, or to make
a run-time decision.

Getting the project ID

The project ID can be found using the
app_identity.get_application_id() method.
The WSGI or CGI environment exposes some implementation details, which are
handled by the API.

Getting the application hostname

By default, App Engine apps are served from URLs in the form
http://<your_app_id>.appspot.com, where the app ID is part of the hostname.
If an app is served from a custom domain, it may be necessary to retrieve the
entire hostname component. You can do this using the app_identity.get_default_version_hostname() method.

Asserting identity to other App Engine apps

If you want to determine the identity of the App Engine app that is making a
request to your App Engine app, you can use the request header
X-Appengine-Inbound-Appid. This header is added to the request by the URLFetch
service and is not user modifiable, so it safely indicates the requesting
application's project ID, if present.

Requirements:

Only calls made to your app's appspot.com domain will contain
the X-Appengine-Inbound-Appid header. Calls to custom domains
do not contain the header.

Your requests must be set to not follow redirects.
Set the urlfetch.fetch()follow_redirects parameter to False.

In your application handler, you can check the incoming ID by reading the
X-Appengine-Inbound-Appid header and comparing it to a list of IDs allowed
to make requests. For example:

Asserting identity to Google APIs

Google APIs use the OAuth 2.0 protocol for authentication and
authorization. The
App Identity API can create OAuth tokens that can be used to assert that the
source of a request is the application itself. The get_access_token() method
returns an access token for a scope, or list of scopes. This token can then be
set in the HTTP headers of a call to identify the calling application.

The following example shows how to use the App Identity API to authenticate to the Cloud Storage API and retrieve and list of all buckets in the project.
Note: the Google API Client Libraries can also manage much of this for you automatically.

Note that the application's identity is represented by the service account name, which is typically applicationid@appspot.gserviceaccount.com. You can get the exact value by using the get_service_account_name() method.
For services which offer ACLs, you can grant the application access by granting this account access.

Asserting identity to third-party services

The token generated by get_access_token()
only works against Google services. However you can use the underlying signing technology to assert the identity of your application to other services. The sign_blob() method
will sign bytes using a private key unique to your application, and the get_public_certificates() method
will return certificates which can be used to validate the signature.

Note: The certificates may be rotated from time to time, and the method may
return multiple certificates. Only certificates that are currently valid are
returned; if you store signed messages you will need additional key management
in order to verify signatures later.
Here is an example showing how to sign a blob and validate its signature: